The risk is bigger than just me

Most organisations leverage technology to allow them to remain digitally integrated with their customers, third party service providers and business partners. With the varying levels of maturity around information security across organisations, third party or ‘ecosystem generated’ attacks are seen as an easier way to gain access to the ultimate targets, being the larger corporations.

‘Third Party Cyber Attacks’ are fast becoming one of the most prominent threats to businesses in Australia. This style of attack often leverages vulnerabilities in our ecosystem and outsourced service providers’ environments, rather than our own. This is because of the change in the trust dynamic, where our service providers usually hold a higher degree of elevated system access to be able to integrate and do business with us more easily. With these elevated privileges, a compromise can potentially have a broader impact than just to the system of the service providers and can extend easily into other connected environments like our own.

From Symantec’s 2018 threat report, the number of supply chain attacks in 2018 has been estimated to be 78% higher than that of the previous year, and growing.

There have been a number of high profile data breaches as a result of these types of cyber-attacks. Most notably the attack against retail giant Target in 2013, which saw 60 million customers affected when Target’s network was compromised using stolen login credentials. These stolen network credentials were then subsequently used to plant malware and steal data from 40 million credit cards residing on Target’s Point of Sale (POS) systems. More recently, in early 2019 Taiwan-based computer manufacturer ASUS was subject to an Advance Persistent Threat (APT) in which Cybersecurity and Anti-virus provider Kaspersky Labs identified and disclosed that threat actors had compromised the ASUS Live Update Utility, thus causing up to an estimated 500,000 users to download the malicious software on their ASUS machines.

Neither Target, nor ASUS were the initial compromise targets in those scenarios.

To better manage potential risks from third party cyber-attacks, organisations can adopt the following tactical and strategic approaches that will assist in managing risks and establishing a security baseline between service providers and organisations.

Examples Tactical Approach

Compromised network

Attackers will often target and look to exploit ‘weak’ points within an outsourced third party to gain access to the wider organisation’s eco-system.

E.g. Target 2013

  • Establish clarity and oversight on outsourced services, and roles and responsibilities between entities, including the evaluation of information security and privacy policies of third parties.
  • Identity and Access Management (IAM) controls such as rigorous authentication processes and regular privileged and general user reviews.
  • Least privilege access approach, ensuring that third parties accessing the eco-system have only the required level of access for them to conduct their day-to-day business, thus managing the associated risk of accounts operating with elevated privilege.

 

Compromised third party infrastructure

In the world of technology, if you do not have trust in a website, a person or an email, the chance of you actually downloading or clicking something associated with these untrusted sources is unlikely. Attackers can leverage a company’s trust and ability to directly provide a service or product to consumers, allowing the potential for a third party cyber-attack.

E.g. ASUS 2019

  • Due diligence processes around systems can be used to evaluate the threat landscape and identify potential threats both internal and external.
  • System development and system change controls including network and environment segregation, development controls and system testing.
  • Organisations that provide products or services to end-users need to ensure what was provided is what was intended. Ensuring critical systems are subject to regular reviews and security audits reduces the associated risk by ensuring that any security gaps and vulnerabilities are addressed.
Strategic approach
Understand contractual obligations
Businesses should always be required to show one another evidence of good security controls. As such, building these into contractual agreements can ensure suppliers are improving their security footprint within their own environment. This could be a matter of suppliers demonstrating the effectiveness of their controls through metrics such as time to detect threats and time to resolve them.

Up-to-date security policies and standards
Embedding and introducing security controls into supply chain policies and standards can allow an organisation to form a baseline with other organisations on an approach to supply chain security. Benchmarking these policies and procedures against regulatory standards can ensure that risk is being mitigated from a risk perspective.

Conduct third party vendor risk assessments
Whenever you are exposing your network or a system/application to an external party, outside of your organisation, a thorough risk assessment should be completed to understand and assess the third party controls and whether they can meet your organisations security requirements.

Identify data owners and custodians
Identify key owners around data/information (i.e. Business Owner, System Owner and Information Owner), who maintains ownership of data being shared and what is acceptable use of that data. This will ensure parties are aware of their roles and responsibility in handling certain critical and sensitive data.

Test incident response plans
Written communication plans that identify what particular information is distributed and to whom are strongly effective. Third parties involved with your network or system security should be considered part of this communication plan and your organisation should be part of theirs, as data breaches on their end could affect your data.

AUTHORED BY

Stephanie Lo

Stephanie Lo
Senior Manager, Sydney
T: +61 2 9338 2636
E: stephlo